Should companies be fined for not doing cyber security basics?

The big headline-grabber about the General Data Protection Regulation (GDPR), set to come into force in 2018, is the huge fine that can be imposed on companies that have failed to comply with the legislation.

The GDPR, which replaces the 1995 Data Protection Directive, sets the maximum fine for a single breach of GDPR at the greater of €20 million or 4 percent of annual global revenue.

Either would be an eye-watering figure for most companies. But while the EU has displayed considerable teeth in the GDPR rules, which include reporting a fine within 72 hours and for certain companies appointing a data protection officer, there is not a fine for actually being breached.

The EU is introducing GDPR.

A fine for the mere fact of a breach might be unfair considering that some attacks are advanced enough to be, to all intents and purposes, unblockable.

Yet many modern attacks are telling by how easy they would have been to prevent. According to the 2016 Verizon Data Breach Investigation Report, most attacks exploit known vulnerabilities that have not been patched even though patches may have been available for months or years. The report found that the top 10 known vulnerabilities accounted for 85 percent of successful exploits, while 63 percent of confirmed data breaches involved using weak, default or stolen passwords.

Count of common vulnerabilities and exploits (CVEs) exploited in 2015 by CVE publication date.

Verizon also found in the report that 13 percent of people tested click on a phishing
attachment.

As Rik Ferguson, Global VP of Security Research at Trend Micro, said on a cyber security panel at IP EXPO, an SQL injection “should not succeed” in 2016. Yet TalkTalk was hacked successfully through that very means in 2015.

So should companies be worried about fines at some point being introduced for not being breached per se, but for failing to take even the basic security measures needed to protect themselves?

There is some means in place to levy fines, at least in TalkTalk’s home country of the UK: it was hit with a fine by the Information Commissioner’s Office (ICO) for failing to take basic steps to protect customer information.

But compared to the scale of a GDPR fine, having to pay £400,000 (about 0.02 percent of the company’s annual revenue) is not a truly daunting figure – certainly not one that is likely to drastically alter its investment or strategy.

The rest of the cost of the breach, estimated by TalkTalk at £60 million, was felt elsewhere, in damaged reputation and customer losses, but still only amounted to around 3.3 percent of the revenue figure.

For a fine to force action it would have to be something genuinely business-impacting like the GDPR.

TalkTalk received a £400,000 fine for not doing basic security practices.

As Steve Manzuik, Director of Security Research at Duo Security’s Duo Labs, says, financial penalties are often treated as simply another cost.

“Businesses are going to make a risk-based decision. If the fine is cheaper than what it would take to build security, they may just take the fine.”

He uses the hypothetical example of a $100,000 investment to tackle security issues or $50,000 on a fine. Manzuik says that many will just take the risk of the latter and just buy insurance.

“While it’s frustrating, from a business and risk perspective it probably makes sense to those people running the business.”

Putting in place larger fines for failing to observe cyber security basics would need both the will and the means to enforce them.

As Quocirca Analyst and Director Bob Tarzey says, the immediate question is not what, but who: which authority would implement such regulation in the borderless world of the internet?

An immediate candidate does not suggest themselves, although for the regulation to have any meaning at all it would have to apply across borders.